SeparationOfDutyPolicyManager

Overview

Package

Class

Use

Tree

Serialized

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.ibm.itim.apps.policy
Class SeparationOfDutyPolicyManager

java.lang.Object
  com.ibm.itim.apps.policy.SeparationOfDutyPolicyManager

public class SeparationOfDutyPolicyManager
extends java.lang.Object
extends java.lang.Object

Provides aggregate separation of duty policy management capabilities. These capabilities include the creation of a separation of duty policy.

Constructor Summary
`SeparationOfDutyPolicyManager(PlatformContext platform, javax.security.auth.Subject subject)` Constructs the manager with a platform context and a subject.

Method Summary
`java.lang.Boolean`	`checkAccess(OrganizationalContainerMO container, java.lang.String operation)` Check to see if the given signed in user can perform a given change.
`Request`	`createPolicy(OrganizationalContainerMO container, SeparationOfDutyPolicy policy, java.util.Date scheduleTime)` Creates a separation of duty policy in the provisioning platform with the specified attributes within the given container.
`IHierarchyConflicts`	`detectHierarchyConflicts(java.util.Set<java.lang.String> currentRoles, java.util.Set<java.lang.String> desiredRoles)` Validates whether a given set of roles can coexist with an existing set of roles in a separation of duty policy rule.
`java.util.Map<Person,java.util.Collection<IPolicyResult>>`	`evaluateViolations(java.util.Collection<Person> persons)` For a particular person, evaluate the role violations against the separation of duty policies of the system.
`java.util.Collection<IPolicyResult>`	`evaluateViolations(Person person)` For a given person, evaluate the role violations against the separation of duty policies of the system.
`void`	`exempt(IRuleViolation violation, java.lang.String justification)` Exempt the passed-in violation and audit the submitter and their justification for this call.
`java.util.Collection<SeparationOfDutyPolicy>`	`getPolicies(java.lang.String roleName)` Returns the separation of duty policies(s) that have exclusion rules which match the given role name.
`SeparationOfDutyPolicyMO`	`getPolicyByURI(OrganizationalContainerMO container, java.lang.String uri)` Returns the separation of duty policy for the given Uniform Resource Identifier (URI) within the specified parent container.
`void`	`revoke(IRuleExemption exemption, java.lang.String justification)` Revoke the passed-in exemption and audit the submitter and their justification for this call.

Methods inherited from class java.lang.Object
`equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

SeparationOfDutyPolicyManager

public SeparationOfDutyPolicyManager(PlatformContext platform,
                                     javax.security.auth.Subject subject)

Constructs the manager with a platform context and a subject.

Parameters:: platform - PlatformContext holding platform connection information.; subject - Subject representing the authenticated caller.

Method Detail

createPolicy

public Request createPolicy(OrganizationalContainerMO container,
                            SeparationOfDutyPolicy policy,
                            java.util.Date scheduleTime)
                     throws java.rmi.RemoteException,
                            AuthorizationException,
                            ApplicationException

Creates a separation of duty policy in the provisioning platform with the specified attributes within the given container. This method does not check whether or not the new policy contains all required attribute values (name, membership, entitlement)

Parameters:: container - OrganizationalContainerMO within which the the separation of duty policy is to be placed.; policy - The separation of duty policy to create.; scheduleTime - The scheduled starting time of the process. If null, the process will start immediately. If this method is invoked remotely, passing this parameter as the current date/time of the client machine is not a safe technique to use, since the date/time of the client machine may not match the date/time of the Tivoli Identity Manager server machine.
Returns:: Request representing the successfully submitted creation request.
Throws:: java.rmi.RemoteException - Thrown if unable to communicate with the platform.; AuthorizationException - Thrown if the client is unauthorized to create the policy in the given container.; ApplicationException - Thrown if unable to create the separation of duty policy. This might be caused if another client removes the container before the call.

checkAccess

public java.lang.Boolean checkAccess(OrganizationalContainerMO container,
                                     java.lang.String operation)
                              throws java.rmi.RemoteException,
                                     AuthorizationException,
                                     ApplicationException

Check to see if the given signed in user can perform a given change.

Parameters:: container - OrganizationalContainerMO within which the the separation of duty policy will be placed/removed/added.; operation - The operation is being checked.
Returns:: True if the signed in user can perform the given operation.
Throws:: java.rmi.RemoteException - Thrown if unable to communicate with the platform.; AuthorizationException - Thrown if the client is unauthorized to perform an operation in the given container.; ApplicationException - Thrown if unable to check if the operation should be allowed. This might be caused if another client removed the container before the call.
See Also:: for valid operation values., Permission

getPolicyByURI

public SeparationOfDutyPolicyMO getPolicyByURI(OrganizationalContainerMO container,
                                               java.lang.String uri)
                                        throws java.rmi.RemoteException,
                                               ApplicationException

Returns the separation of duty policy for the given Uniform Resource Identifier (URI) within the specified parent container.

Parameters:: container - OrganizationalContainerMO representing the parent container to scope the search.; uri - String representing the Provisioning policy URI.
Returns:: SeperationOfDutyPolicyMO representing the matching separation of duty policy
Throws:: java.rmi.RemoteException - Thrown if unable to communicate with platform.; ApplicationException - Thrown if unable to obtain the separation of duty policy. This might be caused by the container being removed by another client previous to this call. This exception might also be thrown if the container object is null or represents the tenant, no policy is found for the given URI within the container, or more than one policy is found for the given URI within the container.

getPolicies

public java.util.Collection<SeparationOfDutyPolicy> getPolicies(java.lang.String roleName)
                                                         throws java.rmi.RemoteException,
                                                                ApplicationException

Returns the separation of duty policies(s) that have exclusion rules which match the given role name. A empty or null roleName will be a search where roleName equals * Note, if the client is unauthorized to search a separation of duty policy, an AuthorizationException will be thrown.

Parameters:: roleName - Role name to search for which are part of separation of duty policy exclusion rules. A role name LDAP pattern is used to search and uses the RFC2254 format. (E.g. myrole* for all roles with start with 'myrole'.)
Returns:: Collection of SeparationOfDutyPolicy representing the matching policies.
Throws:: java.rmi.RemoteException - Thrown if unable to communicate with the platform.; ApplicationException - Thrown if unable to obtain the provisioning policy. This might be caused if another client removes the container prior to the call.

evaluateViolations

public java.util.Collection<IPolicyResult> evaluateViolations(Person person)
                                                       throws java.rmi.RemoteException,
                                                              ApplicationException

For a given person, evaluate the role violations against the separation of duty policies of the system. Disabled policies are not a part of this evaluation. If the person passed is null, an IllegalArgumentException is thrown. If the person does not exist, an ObjectNotFoundException is thrown. The client user needs proper authorization to read the given person in order to search on the roles of the person. Separation of duty policies which are in violation are returned as a collection of DistinguishedName. Creating new SeparationOfDutyPolicyMO for each DistinguishedName allows for reading each policy (via getData() method) given that the client user has proper authorization to search. The separation of duty policy evaluation also takes into account a role hierarchy. Consider the following example: There are two parent roles, A and B, which have 1 child each. Role A has child Role Z, while Role B has child Role Y. If a separation of duty policy has a rule which separates Role A from Role B, a person with the following role combinations would be in violation of this policy (where order does not matter):

Role A, Role B
Role A, Role Y
Role Z, Role B
Role Z, Role Y

Parameters:: Person - to evaluate the roles of, for separation of duty policy violations.
Returns:: Collection of Separation of Duty policies in violation with this particular person.
Throws:: java.rmi.RemoteException - Thrown if unable to communicate with the platform.; ApplicationException - Thrown if unable to obtain the person. This might occur if another client removed the person prior to the call.

evaluateViolations

public java.util.Map<Person,java.util.Collection<IPolicyResult>> evaluateViolations(java.util.Collection<Person> persons)
                                                                             throws java.rmi.RemoteException,
                                                                                    ApplicationException

For a particular person, evaluate the role violations against the separation of duty policies of the system. Disabled policies are not a part of this evaluation. If the person passed is null, an IllegalArgumentException is thrown. If the person passed does not exist, an ObjectNotFoundException is thrown. The client user needs proper authorization to read the given person in order to search on the roles of that person. Separation of duty policies which are in violation are returned as a collection of DistinguishedName. Creating new SeparationOfDutyPolicyMO for each DistinguishedName allows for reading each policy (via getData() method) given that the client user has proper authorization to search. The separation of duty policy evaluation also takes into account a role hierarchy. Consider the following example: There are two parent roles, A and B, which have 1 child each. Role A has child Role Z, while Role B has child Role Y. If a separation of duty policy has a rule which separates Role A from Role B, a person with the following role combinations would be in violation of this policy (where order does not matter):

Role A, Role B
Role A, Role Y
Role Z, Role B
Role Z, Role Y

Parameters:: Collection - of person to evaluate the roles of, for separation of duty policy violations.
Returns:: Map of persons and Collection of separation of duty policies in violation with these persons.
Throws:: java.rmi.RemoteException - Thrown if unable to communicate with the platform.; ApplicationException - Thrown if unable to obtain the person. This might occur if another client removes the person prior to this call.

detectHierarchyConflicts

public IHierarchyConflicts detectHierarchyConflicts(java.util.Set<java.lang.String> currentRoles,
                                                    java.util.Set<java.lang.String> desiredRoles)
                                             throws ApplicationException,
                                                    java.rmi.RemoteException

Validates whether a given set of roles can coexist with an existing set of roles in a separation of duty policy rule. The set of roles can coexist if any of the desired roles are not direct ancestors, or do not descend directly from any other role in the current set or desired set. Use this method to validate roles or sets of roles as they are added to separation of duty policy rules.

Parameters:: currentRoles - The set of roles that are currently added to a rule.; desiredRoles - The set of roles that are to be added to a rule.
Returns:: An IHierarchyConflicts object detailing information about conflicting roles.
Throws:: ApplicationException - If there is an application error that prevented the conflicts from being detected.; java.rmi.RemoteException - If there is an error connecting with the server.

revoke

public void revoke(IRuleExemption exemption,
                   java.lang.String justification)
            throws java.rmi.RemoteException,
                   ApplicationException

Revoke the passed-in exemption and audit the submitter and their justification for this call.

Parameters:: exemption - The exemption to revoke.; justification - The reason for the revocation.
Throws:: ApplicationException - Thrown when an application-level error occurs.; AuthorizationException - Thrown if the user is not authorized to perform the operation.; java.rmi.RemoteException

exempt

public void exempt(IRuleViolation violation,
                   java.lang.String justification)
            throws java.rmi.RemoteException,
                   ApplicationException

Exempt the passed-in violation and audit the submitter and their justification for this call.

Parameters:: exemption - The violation to exempt.; justification - The reason for the exemption.
Throws:: ApplicationException - Thrown when application-level error occurs.; AuthorizationException - Thrown if the user is not authorized to perform the operation.; java.rmi.RemoteException

Overview

Package

Class

Use

Tree

Serialized

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

IBM Security Identity Manager 6.0.0
© Copyright International Business Machines Corporation 2007, 2012. All rights reserved. US Government Users Restricited Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

com.ibm.itim.apps.policy Class SeparationOfDutyPolicyManager

SeparationOfDutyPolicyManager

createPolicy

checkAccess

getPolicyByURI

getPolicies

evaluateViolations

evaluateViolations

detectHierarchyConflicts

revoke

exempt

com.ibm.itim.apps.policy
Class SeparationOfDutyPolicyManager